The input language of GRASShopper is a simple procedural
imperative language that supports user-defined struct
types and arrays. The specification logic supports data
types such as mathematical sets and maps as well as
user-defined algebraic data types, predicates, and functions.

The following GRASShopper program declares a procedure
concat that concatenates two singly-linked lists:

The tool provides an Emacs mode with syntax
highlighting and on-the-fly checking of GRASShopper
programs. Errors in the program or its specification are
automatically highlighted. There is also rudimentary
support for the visualization of counterexample traces.

Theory

Unlike other verification tools based on separation logic,
GRASShopper does not implement a dedicated theorem prover for
separation logic. Neither does it rely on user-guided proof
search. Instead, the tool reduces proof obligations in
separation logic to a decidable fragment of first-order logic,
which we refer to as the Logic of Graph Reachability with
Stratified Sets (GRASS). Reasoning in this logic is
automated using conventional Satisfiability Modulo Theories
solvers. This approach enables a robust combination of
separation logic with other decidable first-order theories
that are important in program verification. For example,
GRASShopper can verify properties about data stored in
heap-allocated structures (such as sortedness properties) even
though there is no dedicated inbuilt support for this in the
tool.

Download

GRASShopper is implemented in OCaml and distributed under a
BSD license. We have tested the tool on Linux, Mac OS, and
Windows/Cygwin.

Acknowledgments

This material is based in part upon work supported by the
National Science Foundation under
grants 1320583, 1618059
and 1815633.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and do
not necessarily reflect the views of the National Science
Foundation.